Cybercriminals shift their tactics for Microsoft Office document exploitation – SophosLabs research

This latest technical paper from our team in SophosLabs examines the newest techniques being used by cybercriminals to conduct Microsoft Office document exploits.

For four years, the preferred vulnerability for a document exploit attack was CVE-2012-0158, but as this vulnerability has aged out – due to users and administrators updating and patching their systems to remediate it – criminals have had to target new vulnerabilities to keep up their attacks.

SophosLabs has found that criminals using several popular exploit kits, including Microsoft Word Intruder, are now predominantly targeting CVE-2015-1641 and CVE-2015-2545.

Continue reading

“The Word bug that just won’t die”: CVE-2012-0158, the cybercrime gift that keeps on taking…

vawtrak-bankArguably one of the most exploited Microsoft Office vulnerabilities of the last decade, CVE-2012-0158’s longevity is one of constant adaptation. Ever since its disclosure in 2012, this vulnerability has been the attack vector of choice for exploitation by attackers who seek to hijack Microsoft Word or Excel and force these programs to execute malicious code.

In fact, according to SophosLabs research, as late as Q4 2015, CVE-2012-0158 was still used by 48% of exploits specifically targeting Office documents.

In this new research paper, Graham Chantry of SophosLabs provides a deep dive into several exploits found in the wild and how they work using CVE-2012-0158.

Continue reading

SophosLabs: Vawtrak banking malware updated with new targets and innovations

vawtrak-bankA new version of a deceptive banking malware has been responsible for a series of attacks on financial institutions in many countries around the world in the past year, SophosLabs reports in a new research paper.

Vawtrak (also known as NeverQuest and Snifula) has been around for a few years now, yet it continues to thrive as a popular crimeware-as-a-service kit used by a variety of cybercriminal groups.

SophosLabs analysis of what we are simply calling Vawtrak version 2 shows the malware authors have introduced new innovations, while making frequent updates to meet demand and stay ahead of defenses.

Continue reading

Why malware authors keep using the same old Microsoft Office exploits

Office exploitsSophosLabs Principal Malware Researcher Gabor Szappanos has closely studied Microsoft Office exploits for the past few years. We’ve previously covered his investigation of the Microsoft Word Intruder exploit creation kit, and his recent paper exploring the most popular Office exploit kits.

In a new research report, Gabor takes a closer look at the top four Office exploit kits used in the last quarter of 2015. He also reports which exploits were most commonly used in malicious documents, and shows us what families of malware were distributed by the studied samples.

As Gabor explains, malware authors are increasingly attracted to document exploits as the initial entry point for their attacks. The attackers spread their booby-trapped Office documents through phishing emails spammed out to large numbers of random recipients (cybercrime groups), or to a more select list of targets (APT groups).

Notably, the majority of Office exploits malware authors have been using in malicious documents are now several years old. The most popular exploit, CVE-2012-0158, has been around for well over three years now.

Continue reading

Location-based threats: How cybercriminals target you based on where you live

Geo-malwareMuch like legitimate businesses, cybercriminal enterprises have to be dynamic – standing still means falling behind. A significant example of how cybercriminals are evolving is the growing trend of location-based targeting, through what we call “geo-malware” and regionalized email attacks.

Traditionally, we think of online threats in terms of highly targeted attacks on the one hand and opportunistic cash grabs on the other hand. Nation-state sponsored or advanced persistent threat (APT) attackers target specific individuals or organizations, and the more common, financially motivated digital thieves take an “infect them all” approach.

Our SophosLabs research shows that way of thinking is becoming outdated, as APT attackers and common cybercrooks learn and borrow techniques from one another.

Common online crooks have learned how to become more efficient and increase their yield per victim by targeting individuals based on their specific country, using a variety of methods. Here I will go into a few of them: geo IP lookups; traffic direction services; and email targeting. I will also explain how and why cybercrooks avoid certain countries.

Continue reading

SophosLabs investigates the most popular Microsoft Office exploit kits

SophosLabs Office exploitsMalware authors have been using Microsoft Office document exploits for quite some time, but in the past couple of years, document malware has experienced a resurgence.

Typically, exploited documents are attached to email messages and sent out to large numbers of random recipients (in the case of cybercrime groups) or a smaller number of selected targets (in the case of APT groups).

Office exploit generators play a crucial role in making Office exploitation available to common cybercriminals. However, despite their significance, most Office exploit kits have not been covered in detail.

In a new research paper, SophosLabs Principal Malware Researcher Gabor Szappanos analyzes some of the most impactful Office exploit generators.

Continue reading

How to stay protected against ransomware

RansomwareIf there’s one thing we know about cybercrooks, it’s that they are persistent. When they find a formula that works, they’ll keep on using and improving upon that formula until it no longer gets the job done.

Ransomware that hijacks your files and locks them up using unbreakable encryption has been quite successful for the crooks, making it a widespread and major threat for home users and businesses alike. If you don’t have preventative measures in place and get hit with ransomware, one way or another you will end up paying the price.

In recent months we’ve seen new strains of ransomware crop up that show the problem isn’t going away any time soon. The nasty ransomware known as Locky has been infecting Windows computers through malicious email attachments. There’s even ransomware targeting AndroidLinux and Mac.

In light of this ongoing threat, Sophos has created a new resource showing you How to stay protected against ransomware. It’s an easy-to-follow guide offering best practices for keeping your data secure, including how to configure your security, train your staff, and back up your files.

Continue reading